Navigation

User menu

You are here

Tomcat: Information Leakage Vulnerability (WAF and Login/IAM)

Submitted on 6. January 2017 - 10:33 by robink.Last update on 19. January 2017 - 14:57.

IDs:

CVE-2016-8745

Keywords:

tomcat, information leakage, NIO

Description:

The bug described in CVE-2016-8745 may result in information leakage between requests. An attacker may be able to obtain session IDs, response bodies, and more. The vulnerability is only present in case the Tomcat NIO HTTP connector is used.

Airlock WAF is not affected

The NIO HTTP connector is not used in Airlock WAF.

Airlock Login/IAM is not affected in the default configuration

Airlock Login/IAM does not use the NIO HTTP connector in the default configuration. In case the default configuration is changed to use the NIO HTTP connector, Airlock Login/IAM may be affected, see resolution.

Back-ends behind Airlock WAF using Tomcat may be affected

Back-ends protected by Airlock WAF that run on an affected Apache Tomcat NIO HTTP connector version may be vulnerable, see resolution.

Resolution:

Back-ends: We recommend to update Tomcat to version 9.0.0.M15, 8.5.9, 8.0.40, 7.0.74, 6.0.49 or later on back-end systems if the NIO HTTP connector is used or to configure a different connector.

Airlock Login/IAM: In case the default configuration was changed to use the NIO HTTP connector, we recommend to revert to the default configuration as follows: in the Tomcat server.xml connector elements, switch the value of the 'protocol' property from "org.apache.coyote.http11.Http11NioProtocol" back to the default "HTTP/1.1".